As Caller ID Spoofing Becomes Harder, Fraud Tactics Will Shift
STIR/SHAKEN is now the law of the land. As of July 1st, telephone carriers are self-certifying calls originating from their networks to document call authenticity. Consumers will have more reason to trust phone calls again thanks to how STIR/SHAKEN distinguishes legitimate calls from questionable ones. STIR/SHAKEN will make the practice of high-volume calling campaigns via automated caller ID spoofing less effective and, hopefully, much less common.
Participating carriers will document and communicate whether each caller involved is their customer, whether each call originated on their network, and whether they assigned each calling number to the caller. With spoofed calls, carriers will not have assigned the number and may not have authenticated the caller’s identity. These calls will receive a lower-level rating or “attestation,” which will alert the terminating carrier and call recipient to beware or filter the call. In addition to spoofed robocall scammers, this approach will also set back fraudsters who use call spoofing to attack call centers.
STIR/SHAKEN makes caller ID spoofing more difficult
It has become far too easy to attack an inbound call center via caller ID spoofing. Criminals write software to spoof calls on their laptops or simply download spoofing tools from a phone app store. Either method allows callers to present any number as the calling number. Criminals can impersonate real customers by calling from a phone number ostensibly associated with the customer account. Inbound call centers have no easy way to determine if calls come from the purported number.
With STIR/SHAKEN in place, criminals will have to work much harder to place spoofed calls with a desirable attestation level. Otherwise, they may raise suspicion before they reach an IVR or call center agent. If fraudsters cannot garner the desired attestation level for their calls, they will adapt. The question is, “How?”
Expect criminals to replace caller ID spoofing with other tactics
Fortunately, we already know how criminals will likely respond to STIR/SHAKEN. For several years, third-party tools have separated legitimate calls from those that are likely spoofed. Overall, these tools have made it more difficult to succeed at spoofing, although accuracy and specificity varies (e.g., sometimes identifying legitimate calls as spoofed). In response, many fraudsters have adopted virtual calling applications to attempt account takeover fraud.
Skype or Google Voice lead the virtual calling space, but they require some identifying information to create an account—a potential risk factor for some criminals. Hundreds of lesser-known virtual call services preserve anonymity during account creation. These services allow criminals to place legitimate, untraceable calls from anywhere in the world, ostensibly from any area code, while preserving anonymity. Worse, because calls from these apps are not spoofed, they will receive a high-level attestation.
Fraud attempts using virtual apps have risen sharply over the past 18 months. Market studies, such as the State of Call Center Authentication survey, show a rapid rise in use of virtual call apps to attack call centers. In 2021, half of call center leaders observed an increase of fraudsters using virtual call services to launch anonymous attacks.
How to prepare for criminal activity without caller ID spoofing
As it becomes more difficult to place spoofed calls successfully, an increasing number of criminals are likely to turn to virtual call services. The enactment of STIR/SHAKEN signals an imperative for forward-thinking inbound call centers to prepare and monitor for more criminal activity through alternate vectors. The following guidelines provide a strong starting point for preparations:
- Remember the intention behind STIR/SHAKEN. The framework reduces the utility of one criminal technique. It was not designed to protect against other fraud vectors.
- Acquire solutions that identify and isolate calls coming from virtual apps. That requires partnering with a service situated within the phone network.
- Partner with a phone call validation service to keep informed about the latest virtual tools in criminal use. While there are hundreds of these tools, criminals tend to favor a dozen for their attacks. However, they can easily switch tools if one becomes less effective.
- Develop call flows to treat callers using high-risk virtual apps appropriately. Consider stepped-up authentication practices, routing callers to agents that specialize in high-risk engagements, and limiting the activities these callers can perform.
- Monitor for other patterns that can signal an account takeover attack, such as a recent number reassignment, strange calling patterns, and numbers that just went into service. Keep an eye out for spoofed calls too. Criminals will devise workarounds to maintain that vector in the future.
STIR/SHAKEN was conceived of, designed for, and implemented to benefit consumers. The framework will increase consumer trust in the phone calls they receive. As an additional benefit, STIR/SHAKEN will make it harder for fraudsters to take over consumer accounts via call spoofing. This new challenge will drive the adoption of alternate account takeover tactics. Financial institutions can anticipate and prepare for criminals’ next moves by following the above guidelines.